From DevOps to DevSecOps

DevSecOps cloud suisse

TECHNICAL

DevOps is a term emerging from the contraction of two notions. Development (Dev), and System Operations (Ops).

DevOps thus refers to all of the processes between one part to the other. The objective of such an approach is to engage in continuous development by increasing the number of iterations, so as to increase the output speed of the project. It is also about removing potential errors. It is an approach that covers the development, testing, integration and monitoring phases of applications.

To do this, DevOps is based on several methods, ranging from automation to simplification, but above all, it facilitates contact and feedback for management.

Nowadays, the notion of DevOps has broadened, and we now talk about Scrum teams as well as Agile Management. More precisely, this management tends to emphasise the importance of individuals themselves rather than the tools and processes used. Although they remain essential.

As you will have understood, it is above all a question of changing both a state of mind as well as corporate culture.

devsecops1-768x362

And DevSecOps ?

Out of the need to develop and facilitate this contact arose the realisation that there is a constant need for security at all levels. This is how DevSecOps was born.

While DevOps makes it possible to develop projects much faster, the implementation of security has, logically, changed quite a bit. In the past, when projects were developed over several months or less, the question did not arise. On the other hand, it is no longer possible to simply develop while integrating security at the very end of a project. This is all the more true during this current period where it is making its way into all legislation and concerns.

But why is this necessary?

DevSecOps is derived from the very nature of DevOps, based on what is called “iterative” data, or in other words, based on repetitive exchanges. This is why the DevSecOps approach has become unavoidable. The aim is to compensate for the increased vulnerability created by increased exchanges and potential data leakage, among other things.

DevSecOps is therefore also based on this iterative principle, with successive and recurring steps of checking and verification.

This is why DevSecOps differs from external security measures such as firewalls. Indeed, it is integrated throughout the project directly from the code. This does not mean, however, that external blocking measures are no longer necessary.

The Various Means Available

As explained above, the concept of DevOps integrates all phases of development, as does the related security aspect.

On the other hand, if the DevSecOps portion is integrated into the whole CI/CD process, it remains in the position of control on the “review” level, the moment of exchange between the code and the infrastructure (see diagram above).

As explained above, the concept of DevOps integrates all phases of development, as does the related-security aspect.

  • Code/container security analysers
  • The addition of security tests at the unit test level
  • Automation of security fixes
  • Verification of the application of defined standards
  • Verification of the elimination of identification elements from the code
  • The systematisation of pentests
  • A security watch on the technologies used
  • Fast virtual patching in order to minimise delay between the publication and the implementation of the final patch.
  • Finally, the provision of a Security Champion (meaning a Security Issues Manager) following the raising of alerts. The Security Champion performs developmental control but also provides support that allows DevOps teams to develop security skills.
devsecops

The Advantages of DevSecOps

As mentioned above, the core of DevSecOps is centred around people skills. DevSecOps is not only process automation and simplification: it also includes security experts. It allows for an increase in skills for the entire Scrum, and that is partly due to this increase that so much time is saved during project development.

Beyond the simple security aspect provided by DevSecOps, it also provides added value in the transfer of information from the existing infrastructure to the Dev and Ops teams.

It can provide centralised authentication solutions (via Keycloak, for example) or role separation. Both in infrastructure or in applications.

Finally, the main advantage of DevSecOps is the Time to Market. When security is relegated to the end of the development process, companies can be faced with a long period of securitisation and will often return to development.

The holistic aspect of DevSecOps makes it time-saving, by integrating security within the code, to avoid having to go back and forth among Scrum members and having to undertake costly actions. Because we know that time is money!

DevSecOps provides coherence across the whole platform; whether it is at the time of installation or as it evolves.

Are you looking for security experts and DevSecOps to help you in your operations? Contact us!